Scanning ARM container images with Snyk

ARM-based systems are increasingly popular amongst developers, for edge and IoT use cases as well as some server uses with the likes of the AWS Graviton Amazon EC2 instances. Docker provides an increasingly flexible toolset for building container images for multiple architectures. But how do you know those images are secure?

Helping ARM developers secure their containers

Snyk today supports scanning Docker images built for ARM (or, in fact, any other platform). If the tag in question is only built for ARM then it’s as simple as just pointing the Snyk CLI at the image as normal:

snyk container test arm64v8/debian

But some Docker images support multiple platforms, using manifest lists. You can see more about how these are built and published from Docker.

Docker hub showing the operating system and architecture for a tag

When you have an image like the one above, you can specify the platform you want to test explicitly using the --platform flag. Here’s an example of using that to test the debian image from Docker Hub:

$ snyk container test --platform=linux/arm64 debian
…
✗ Medium severity vulnerability found in gcc-8/libstdc++6
  Description: Information Exposure
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-347558
  Introduced through: gcc-8/libstdc++6@8.3.0-6, apt@1.8.2.1, meta-common-packages@meta
  From: gcc-8/libstdc++6@8.3.0-6
  From: apt@1.8.2.1 > gcc-8/libstdc++6@8.3.0-6
  From: apt@1.8.2.1 > apt/libapt-pkg5.0@1.8.2.1 > gcc-8/libstdc++6@8.3.0-6
  and 2 more...

✗ High severity vulnerability found in gnutls28/libgnutls30
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GNUTLS28-609778
  Introduced through: gnutls28/libgnutls30@3.6.7-4+deb10u5, apt@1.8.2.1
  From: gnutls28/libgnutls30@3.6.7-4+deb10u5
  From: apt@1.8.2.1 > gnutls28/libgnutls30@3.6.7-4+deb10u5

Organization:      garethr
Package manager:   deb
Project name:      docker-image|debian
Docker image:      debian
Licenses:          enabled

Tested 92 dependencies for known issues, found 54 issues.

Using platform information in Snyk

The information about the platform is also available in the Snyk Project Page if you import ARM images from a container registry like ACR, Docker Hub, ECR or GCR, or adding an image to be tracked by Snyk using snyk container monitor. You can see the platform in the project metadata.

The platform information is also available for customers in the Snyk API. Whenever you retrieve a container image project you should see the imagePlatform attribute containing the platform.

Next steps

At Snyk we’re really interested in seeing how developers embrace the ARM platform in the next few years, and will be looking for more ways of helping developers to build secure Docker images, whatever platform they choose to build for.

You can try out the new ARM functionality shown above by downloading the latest version of the Snyk CLI.